PolarSSL 1.3.6 released

Description

Fresh from the oven: PolarSSL 1.3.6 is here!

This release contains a number of smaller changes and bug fixes, which don't affect the existing API. Primarily, support for the ALPN extension is added, and extra checks are introduced to mitigate some semantic discrepancies that were reported. In addition a security issue introduced in 1.3.5 has been fixed.

Features

On the feature-front this release introduces support for:

ALPN extension support

verification of keyUsage and extendedKeyUsage extensions

Enabling /dev/random in gen_key

In addition outstanding bugs were fixed.

ALPN extension support

Although the RFC is not yet an official standard, more and more applications are starting to use ALPN support. We have added ALPN in this release to help those projects.

Support for ALPN (POLARSSL_SSL_ALPN) is enabled by default and allows you to set the list of acceptable protocols with ssl_set_alpn_protocols() and retrieve the negotiated protocol with ssl_get_alpn_protocol().

Cerification of keyUsage and extendedKeyUsage extensions

The so-called Frankencert report revealed some semantic discrepancies between libraries and standards. PolarSSL 1.3.5 already fixed some of those affecting PolarSSL. This release adds support for automatically verifying the keyUsage extension in certificates (POLARSSL_X509_CHECK_KEY_USAGE) and the extendedKeyUsage extension in certificates (POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE).

This fixes all the possible security issues revealed in the report. One issue (a false negative not affecting security) is still left and we are working with the authors of the report to clarify it.

EC curves constants, which should be only in ROM since 1.3.3, were also
stored in RAM due to missing 'const's (found by Gergely Budai).

More details can be found in the ChangeLog.

Security

In the last release, we introduced a new issue with checking the time validity for certificates (except the top certificate). If the user-supplied chain contains only one certificates, it is not affected by this issue.

In addition a potential timing leak in ecdsa_sign() was reported by Watson Ladd and fixed by blinding the modular division.

And a potential NULL pointer dereference in ssl_read_record() was eliminated that was found by TrustInSoft.